Treat p=reject as a rollout, not a switch: observe, fix alignment, quarantine, then enforce.
p=reject is the destination, not the starting point. Almost every domain we onboard starts at p=none — and the failure mode we see most is people skipping the intermediate steps and discovering, on a Monday morning, that their CRM has been silently dropped by Gmail for a week.
Here's the ramp we recommend, and the three concrete things to verify before each promotion. No surprises.
Week 1 — Observation at p=none
Publish a monitor-only policy and let receivers tell you who's actually sending mail.
_dmarc IN TXT "v=DMARC1; p=none; rua=mailto:r-…@dmarcify.dev; ruf=mailto:f-…@dmarcify.dev; fo=1"That's it for the first week. Receivers will email reports daily; DMARCify parses them, groups by source IP, and resolves PTR/ASN/country so you can see "Google Workspace sent 18k, SendGrid sent 2k, an unknown box in NL sent 50."
- Reports arrived from Google, Microsoft, and at least one other receiver.
- The rua address in DNS matches the DMARCify address for the domain.
- The report stream contains real production volume, not just test messages.
Week 2 — Fix alignment for legitimate senders
Look at the "unknown" and "failing" buckets. For each one, decide: is this a sender we own (the CRM, the support tool, the marketing platform), or is it noise?
- Owned + failing: usually means the vendor hasn't been set up with a custom DKIM signing domain. Every reputable ESP supports this — it's a couple of CNAMEs.
- Owned + only-SPF-aligned: fine for now, but DKIM is the more durable signal. Ask the vendor for "DKIM signing with your own domain."
- Noise: mailing list forwarders, "fwd to my Gmail" personal forwards. DKIM-aligned, SPF-broken. Leave them alone — they'll align once you're on
p=rejectbecause forwarders don't strip DKIM signatures.
- Every owned sender shows at least 99% DKIM alignment for three consecutive days.
- Any SPF-only sender has a DKIM setup task assigned to the platform owner.
- Forwarder-shaped failures are classified separately from unknown unaligned traffic.
Week 3 — Quarantine
Promote carefully. Quarantine means receivers can place failing messages in spam, so the sender inventory needs to be clean before this step.
_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:r-…@dmarcify.dev; ruf=mailto:f-…@dmarcify.dev; fo=1"- Legitimate quarantined volume is near zero.
- No support, billing, CRM, or transactional mail source newly appears in the failing bucket.
- A rollback DNS change is ready if a missed sender appears.
Week 4 — Reject
Once quarantine is clean, flip to p=reject.
_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:r-…@dmarcify.dev; ruf=mailto:f-…@dmarcify.dev; fo=1"Week 5 — Keep watching
Keep the record as-is and watch for new senders.
_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:r-…@dmarcify.dev; ruf=mailto:f-…@dmarcify.dev; fo=1"From now on, the only thing to watch for is new senders showing up in the dashboard — someone connecting Marketo to your domain, a forgotten staging service waking up. DMARCify sends a digest specifically for this.
The shortcut
If you'd rather not run this manually, the AI auto-policy feature on Pro does exactly this staged ramp, watching your alignment numbers and only promoting when the dashboard is clean. You stay in control — every promotion shows a "promote / wait" proposal in the dashboard you can override.

